You might think that the worst thing you can do with a phishing email is to click on the malicious link embedded within. You’d be wrong. There’s something worse, much worse. What’s that? How about forwarding the email to other employees, lots of them?

A recent article on security website SC Magazine details all the bad things employees do with suspicious emails. As things turn out it’s not uncommon for employees to forward infected emails to other employees. What’s even crazier, according to the article, is that “even when users do suspect that danger may be lurking within emails they have received, they still forward those malicious emails to others. When they do, they inadvertently kick off a chain of forwards, exposing multiple users to malicious links and attachments.”

What makes forwarding a malicious email bad is twofold. First, it has the potential to spread the problem beyond just the recipient. Instead of one person getting their login credentials compromised, there’s now the potential for dozens of them to get phished.

The other thing that makes forwarding an email bad is that it becomes increasingly difficult for users to identify it as a phishing email with every forward.

That’s because two of the clues that give a hint to a phishing email are

1) the sender’s name/email address and

2) the content of the email itself.

Forwarding the email legitimizes both of them and buries the clues that it’s a phishing email further down the into the email making it even harder to detect.

We’re not talking about sophisticated phishing schemes like the one a Google engineer discovered that can defeat two factor authentication (2FA). Or the South Korean website that was hit with a rare waterhole phishing scheme. We’re talking about employees forwarding known suspicious emails. Still think all you need is some employee training to stop phishing attacks?

The only chance you have to stop phishing emails is to deploy technology which stops them even when employees do everything wrong, because that’s inevitably what some of them will do. When you’re ready to get serious about email security and take your lovably human employees out of the equation, head on over to Phish Protection and find out how fast and inexpensive it is to get protected. Or, be prepared to scroll down every forwarded email that comes your way.